User documentation for this release

SSL Orchestrator features in 13.0.0

F5 SSL Orchestrator

F5 SSL Orchestrator provides an all-in-one appliance solution designed specifically to optimize the SSL infrastructure, provide security devices with visibility of SSL/TLS encrypted traffic, and maximize efficient use of that existing security investment. This solution supports policy-based management and steering of traffic flows to existing security devices, designed to easily integrate into existing architectures, and centralizes the SSL decrypt/encrypt function by delivering the latest SSL encryption technologies across the entire security infrastructure.

Multi-Layered Security

In order to solve specific security challenges, security administrators are accustomed to manually chaining together multiple point products, creating a bare-bones “security stack” consisting of multiple services. A typical stack may include components like Data Leak Prevention (DLP) scanners, Web Application Firewalls (WAF), Intrusion Prevention and Detection Systems (IPS and IDS), Malware Analysis tools, and more. In this model, all user sessions are provided the same level of security, as this “daisy chain” of services is hard-wired.

Dynamic Service Chaining

Dynamic Service Chaining processes specific connections based on context provided by the Classification Engine. These service chains can include four types of services (Layer 2 in-line services, Layer 3 in-line services, receive-only services, and ICAP services) you define, as well as any decrypt zone between separate ingress and egress devices).

Classification Engine

Classification Engine provides a rich set of methods based on context to dynamically determine how best to optimize the flow through the security stack. Context can come from the following:

Source IP/subnet

Destination IP/subnet

IP intelligence category - Subscription

IP geolocation

Host and domain name

URL filtering category - Subscription

Destination port

Protocol

Deployment modes

F5 recommends, and has optimized the SSL Orchestrator for deployment in an active-inline mode. This mode supports the broadest set of industry recommended ciphers suites, enables policy-based steering to allow for better utilization of the security services investments deployed at either OSI Layer 2 or Layer 3, and helps reduce administrative costs through efficient steering based on traffic context through selective device load balancing and health monitoring.

Known issues

ID number

Description

463214

The COMPAT SSL stack does not support connection mirroring.

474797

If malformed SSL packets are sent to the BIG-IP system, the following errors can be logged to /var/log/ltm: Device error: cn9 core general. crypto codec cn-crypto-4 queue is stuck. Malformed SSL packets being sent to the BIG-IP system. Error logs in /var/log/ltm. This is a cosmetic issue only, and the errors can be safely ignored.

487884

SSL::collect, SSL::release iRule events might not work as expected in a mirroring configuration.

488314

Connection stalls and/or connection is reset due to handshake timeout. Mirroring enabled on SSL virtual and failover occurs during SSL handshake, that is, negotiation/renegotiation. SSL connections might stall or be reset on failover. There is no workaround.

562370

SSL traffic may be stalled if there is a mismatch in mirror setting on the SSL virtual server between the active and the standby unit. For instance, the SSL virtual server could have mirroring enabled on the active unit and disabled on the standby unit. Connections on the active unit may be stalled up to 'Handshake timeout' seconds. Workaround: Configure both units to have the same mirror setting on the virtual server.

565195

Saving PMS with ssldump -M PMS generates malformed output.

597099

SSL Forward Proxy appears to be unable to handle an SSL handshake inside an explicit proxy 'CONNECT' request. This appears to be the case if the explicit proxy trails the SSL Forward Proxy, or is within the inspection zone.

600940

The SSL Orchestrator setup wizard automatically provisions licensed features. If too many resources are provisioned then the setup wizard may misbehave and not exit as the SSLo Setup Wizard automatically. After completing the wizard, you will be taken back to the license page. If you reactivate you will get the following error: General error: 01071008:3: Provisioning failed with error 255 - 'Physical memory (3967MiB) insufficient for 3 or more modules.' Upgrade VE instance to have 8 or more Gigabytes of RAM.

Unable to redeploy one box solution after loading system default configuration. Clear rest storage when loading defaults on the BIG-IP.

621981

Attempting to deploy a one box solution with IPv6 cannot be deployed and results in an error.

622687

Save a copy of your existing configuration in case of an error while reconfiguring some part of the iApp. An error may cause a loss of your configuration details.

623179

When clicking on the L3 name for inline services so to reconfigure it, the drop down menu that lists interfaces does not load and is empty.

623441

SSLi iAppLX: Auto picking the interface does not work when selecting VLAN if you are already on the Receive Only page and the VLAN was just created using TMSH.

624393

Deleting the SSL Orchestrator iApp from TMSH is not recommended. It is recommended that you use SSL Orechestrator UI to manage the iApp.

643746

When choosing SNAT in the iApp, others virtual does not translate the address. If a request is sent from a private IP to the internet, traffic processed by others virtual does not come back to the BIG-IP.

644182

The IPI Subscription as an add-on to the SSL Orchestrator license fails to initialize and automatically download the IP reputation database.

Behavior changes in 13.0.0

ID Number

Description

631529

Similar TPS numbers are seen in tests with 10SID reuse enabled/disabled.

632106

Control channel implemenation in SSL Orchestrator two box mode drops control messages under load.

640276

SSL Orchestrator deploy times out on Herculon i2800 Platform. Workaround: Go to "System :: Resource Provisioning" on TMUI, change Management (MGMT) provision level to "Medium" and try to deploy again. Platforms with a SSL Orchestrator license should have Management module provisioned at "Medium" level by default and should be able to deploy SSL Orchestrator successfully.

645651

iAppLX times out intermittently and slow system response is experienced with default SSL Orchestrator provisioning.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews

The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.

Periodic plain text TechNews

F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.